Overview

Use Origin CA certificates to encrypt traffic between Cloudflare and your origin web server. To ensure greater convenience, security, and performance, Cloudflare recommends an Origin CA certificate over a self-signed certificate or a certificate purchased from a Certificate Authority. With an Origin CA certificate, you can use Full and Full(strict) SSL modes in the Cloudflare Crypto app without first purchasing a certificate from a Certificate Authority to install at your origin web server.

I have my own private key and CSR - requires pasting the Certificate Signing Request into the text field.

List the hostnames (including wildcards) the certificate should protect with SSL encryption. The zone root and first level wildcard hostname are included by default.

You can include up to 100 hostnames or wildcard hostnames on a single certificate and can include hostnames for other domains within the same Cloudflare account. You can also add support for multi-level subdomains such as *.test.dev.www.example.com.

Choose the certificate expiration. The default is 15 years and the minimum is 7 days.

Click Next.

Select the Key Format. Select the key pair format that best matches your environment. Most OpenSSL-based web servers such as Apache and NGINX expect PEM files (Base64 encoded ASCII), but also work with binary DER files. Windows and Apache Tomcat users must opt for PKCS#7.

Copy the signed Origin Certificate and Private key details into separate files as instructed by the Origin Certificate Installation window.

Be sure to copy the Private key information before clicking OK. For security reasons, the Private key is not displayed again after Origin certificate creation.

Step 3 - Configure the SSL mode in the Cloudflare Crypto app

Instruct Cloudflare to encrypt traffic to your origin web server after you install the Cloudflare Origin CA certificate at your origin web server. Set the SSL mode in the Cloudflare Crypto app to either Full or Full(strict)to enable encryption between Cloudflare and your origin web server.

Make this change globally via the Crypto app only if all of your origin hosts are protected by Origin CA certificates or publicly trusted certificates. Otherwise, consider setting SSL to Full or Full(strict) via the Cloudflare Page Rules app.

To avoid redirect loop errors, first ensure your origin web server configuration does not redirect HTTPS to HTTP or HTTP to HTTPS in a manner contrary to how the Cloudflare SSL mode is configured for Cloudflare connections to your origin web server.

(optional) Step 4 - Add Cloudflare Origin CA root certificates

Some origin web servers require uploading the Cloudflare Origin CA root certificate. See below for an RSA and ECC version of the Cloudflare Origin CA root certificate. Click on a link to download a file:

Remove an Origin CA certificate

Select the appropriate account for the domain where the Origin CA certificate needs revoked.

Select the domain.

Click the Crypto app and scroll down to Origin Certificates.

Visitors will see errors about site insecurity until an Origin CA certificate is replaced. To avoid errors, ensure that the SSL mode is set to either Full or Flexible and not Full(strict), either globally via the Crypto app or for a specific hostname via the Page Rules app before revoking an Origin CA certificate.

Click the X icon to the right of the certificate name in the list of Origin CA certificates.